An extension of system F with subtyping 

Luca Cardelli 1 Simone Martini 2 John C. Mitchell 3 Andre Scedrov 



Abstract 

System F is a well-known typed X-calculus with polymorphic types, 
which provides a basis for polymorphic programming languages. We 
study an extension of F, called F <: (pronounced ef-sub) that combines 
parametric polymorphism with subtyping. 

The main focus of the paper is the equational theory of F <: , which is 
related to PER models and the notion of parametricity. We study some 
categorical properties of the theory when restricted to closed terms, 
including interesting categorical isomorphisms. We also investigate proof- 
theoretical properties, such as the conservativity of typing judgments with 
respect to F. 

We demonstrate by a set of examples how a range of constructs may 
be encoded in F <: . These include record operations and subtyping hierar- 
chies that are related to features of object-oriented languages. 
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1. Introduction 

System F [Gir 71] [Rey 74] is a well-known typed X-calculus with polymorphic types 
that provides a basis for polymorphic programming languages. We study an extension of 
F that combines parametric polymorphism [Str 67] with subtyping. We call this language 
F <: , where <: is our symbol for the subtype relation. F <: is closely related to the 
language F< identified by Curien, and used by Curien and Ghelli primarily as a test case 
for certain mathematical techniques [Ghe 90] [CG 91]. F< is, in turn, a fragment of the 
language Fun [CW 85]. In spite of F <: 's apparent minimality, it has become apparent that a 
range of constructs may be encoded in it (or in F<); these include many of the record 
operations and subtyping features of [Car 88], [CM 91] and related work that are connected 
to operations used in object-oriented programming. We illustrate some of the power of 
F <: in Section 3; see also [Car 91]. 

We have also found that the study of F <: raises semantic questions of independent 
interest. A major concern in this paper is an equational theory for F <: terms. The 
equational axioms for most systems of typed X-calculi arise naturally as a consequence of 
characterizing type connectives by adjoint situations (for example). In addition, it is often 
the case that provable equality may be captured by a reduction system obtained by 
orienting the equational axioms in a straightforward way. However, both of these 
properties appear to fail for F <: . A simple example illustrates some of the basic issues. 

Consider the polymorphic type V(A)A— This type is commonly referred to as 
Bool, since in system F and related systems there are two definable elements of this type. 
These elements are written as the following normal forms: 

true = MA) Mx:A) My:A) x 
false = MA) Mx:A) My:A)y 

In F <: , however, there are two additional normal forms of type Bool. These arise because 
we have a maximal type Top, which has all other types as its subtypes. The main idea 
behind the additional terms is that we can change the type of any argument not used in 
the body of a term to Top, and still have a term of the same type (by antimonotonicity of 
the left operand of -» with respect to <:). This gives us the following two normal forms 
of type Bool. 

true' = MA) Mx:A ) My: Top ) x 
false ' = MA) Mx:Top ) My: A ) y 

However, true and true' are completely equivalent terms when considered at type Bool. 
Specifically, for any type A, the terms true(A) and true'(A) define extensionally equal 
functions of type A -^A^A. Put proof-theoretically, if we take any term a containing true 
with the property that when reducing a to normal form we apply each occurrence of true 
to two arguments, then we may replace any or all occurrences of true by true' and obtain 
a provably equal term. For this reason, it seems natural to consider true = true', and 
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similarly false = false', even though these terms have different normal forms. When we 
add these two equations to our theory, we restore the pleasing property that Bool contains 
precisely two equivalence classes of normal forms. 

While our initial examination of the equational theory of F < . was motivated by a 
vague intuition about observable properties of normal forms, our primary guide is the 
PER semantics of polymorphic X-calculus with subtyping [BL 88] [CL 90] [Ghe 90] [See 90]. 
One relevant characteristic of PER models is the parametric behavior of polymorphic 
functions. Specifically, since polymorphic functions operate independently of their type 
parameter, they may be considered equivalent at all their type instances. In F <: we can 
state a consequence of this notion of parametricity, namely that whenever the two type 
instances have a common supertype, they will be equal when considered as elements of 
that supertype (see the rule (Eq appl2) in section 2.2). Hence the syntax of F <: can state, at 
least to some extent, the semantic notion of parametricity investigated in [Rey 83], [Fre 91], 
and [MS 91]. A general principle we have followed is to adopt axioms that express 
parametricity properties satisfied by PER models, but not to capture explicitly the exact 
theory of PER models [Mit 90]. This leads us to a new angle on parametricity which may 
prove useful in further study, and also gives us a set of axioms that are sufficient to prove 
true = true', and other expected equations, without appearing contrived to fit these 
particular examples. 

While F K . differs from each of the X-calculi mentioned above, several properties of 
F <: transfer easily from related work; in particular, F <: differs from F<[CG 91] only in the 
equational theory. For syntactic properties we have strong normalization [Ghe 90]; 
canonical type derivations, coherence, minimum typing [CG 91]; and confluence of the (3- 
r\-TopCollapse equational theory [CG 91a]. The PER semantics follows easily from the 
work in [BL 88], [CL 90], [Ghe 90], and [See 90]. While an alternative semantics could 
perhaps be developed in the style of [BFSS 90] and [Fre 91], we do not explore that 
possibility here. 

The main results of this paper are an equational theory for F K . , some proof-theoretic 
properties developed in section 2 including conservativity of F <: typing over F, a set of 
examples in section 3 demonstrating the expressiveness of F <: (some reported earlier in 
[CL 90], and in [Ghe 90] with attribution), and in section 4 some categorical properties of 
the theory when restricted to closed terms. 

2. System F <: 

F <: is obtained by extending F [Gir 71] [Rey 74] (see Appendix) with a notion of subtyping 
(<:). This extension allows us to remain within a pure calculus. That is, we introduce 
neither the basic types, nor the structured types, normally associated with subtyping in 
programming languages. Instead, we show that these programming types can be obtained 
via encodings within the pure calculus. In particular, we can encode record types with 
their subtyping relations [Car 88]. 
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2.1 Syntax 

Subtyping is reflected in the syntax of types by a new type constant Top (the 
supertype of all types), and by a subtype bound on second-order quantifiers: V(X<:A)A' 
(bounded quantifiers [CW 85]). Ordinary second-order quantifiers are recovered by setting 
the quantifier bound to Top; we use V(X)A for V(X<:Top)A. The syntax of values is 
extended by a constant top of type Top (mostly a convenience), and by a subtype bound 
on polymorphic functions, MX<:A)a. We use MX)a for A(X<:Top)a. 

Syntax 

A,B ::= Types 

X type variables 

Top the supertype of all types 

A— *5 function spaces 

V(X<:A)B bounded quantifications 

a,b ::= Values 

x value variables 

top the canonical value of type Top 

X(x:A)b functions 

b(a) applications 

X(X< :A )b bounded type functions 

b(A ) type applications 

The -* operator associates to the right. The scoping of X and V extends to the right as far 
as possible. Types and terms can be parenthesized. 

A subtyping judgment is added to F 's judgments. Moreover, the equality judgment on 
values is made relative to a type; this is important since values in F <: can have many 
types, and two values may or may not be equivalent depending on the type that those 
values are considered as possessing (see, for example, the rule (Eq collapse) in section 2.2). 

Judgments 

h E env E is a well-formed environment 

E h A type A is a type 

E h A <: B A is a subtype of B 

E\- a : A a has type A 

E h a *-» b : A a and b are equal members of type A 

We use dom(E) for the set of variables defined by an environment E. 

As usual, we identify terms up to renaming of bound variables; that is, using 
B{X<—C} for the substitution of C for X in B, and FV( - ) for sets of free variables: 
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V(X<:A)B = V(Y<:A)B{X^YJ where Y £ FV(B) 
X(x:A)b = X(y:A)b{x^yJ where y £ FV(b) 

X(X<:A)b = X(Y<:A)b{X^YJ where Y £ FV(b) 



These identifications can be made directly on the syntax; that is, without knowing 
whether the terms involved are the product of formal derivations in the system. By 
adopting these identifications, we avoid the need of a type equivalence judgment for 
quantifier renaming. 

Environments, however, are not identified up to renaming of variables in their 
domains; environment variables are kept distinct by construction. A more formal 
approach would use de Bruijn indices for free and bound variables [deB 72]. 

2.2 Rules 

The inference rules of F <: are listed below; the only essential difference between 
these and the ones of ^[Ghe 90] [CG 91] is in the more general (Eq appl2) rule. We now 
comment on the most interesting aspects of the rules. (See also the discussion about (Eq 
appl2) in section 2.4.) 

The subtyping judgment, E h A <: B, is, for any E, a reflexive and transitive relation 
on types with a subsumption property; that is, a member of a type is also a member of any 
supertype of that type. Every type is a subtype of Top. The function space operator -» is 
antimonotonic in its first argument and monotonic in its second. A bounded quantifier is 
antimonotonic in its bound and monotonic in its body under an assumption about the free 
variable. 

The rules for the typing judgment, E\- a : A, are the same as the corresponding rules 
in F, except for the extension to bounded quantifiers. However, additional typing power 
is hidden in the subsumption rule, which allows a function to take an argument of a 
subtype of its input type. 

Most of the equivalence rules, E h a <-*■ b : A, are unremarkable. They provide 
symmetry, transitivity, congruence on the syntax, and |3 and T| equivalences. Two rules, 
however, stand out. The first, (Eq collapse) (also called the Top-collapse rule), states that 
any two terms are equivalent when "seen" at type Top; since no operations are available 
on members of Top, all values are indistinguishable at that type. The second, (Eq appl2), is 
the congruence rule for polymorphic type application, giving general conditions under 
which two expressions b'(A') and b"(A") are equivalent at a type C. This rule has many 
intriguing consequences, which will be amply explored throughout this work. (We 
occasionally write E h A,B<:C for E h A<:C a E h B<:C, and so on.) 
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Environments 



(Env0) (Envx) (EnvX) 

EVA type x£dom(E) EVA type X£dom(E) 

V 0 env V E,x:A env V E,X<:A env 



Types 



(Type X) (Type Top) 

V E,X<:A,E' env V E env 



E,X<:A,E' V X type E V Top type 

(Type ^) (Type V) 

EVA type EVBtype E,X<:A V B type 



EVA^Btype EV V(X<:A )B type 



Subtypes 



(Sub refl) (Sub trans) 

EVA type EV A<:B EV B<:C 



EVA<:A EVA<:C 

(SubX) (Sub Top) 

V E,X<:A,E' env EVA type 



E,X<:A,E' V X<:A EV A <: Top 

(Sub ^) (Sub V) 

EVA'<:A EVB<:B' EV A'<:A E,X<:A' V B<:B' 



EVA^B <:A'^B' EV V(X<:A)B <: V(X<:A')B' 



Values 



(Subsumption) (Val x) (Vol top) 

E V a:A E V A<:B V E,x:A,E' env h E env 



EV a : B E,x:A,E' V x.A E V top : Top 

(Val fun) (Val appl) 

Ex: A Vb:B EV b : A^B EV a: A 



E V X(x:A)b : A^B E V b(a) : B 

(Val fun2 ) (Val appl2 ) 

E,X<:A V b:B EV b : V(X<:A)B EVA '<:A 



E V X(X<:A )b : V(X<:A )B EV b(A ') : B(X^A '} 



Equivalence 



(Eq symm) 

E\- a <-> b : A 
E\- b <-> a : A 

(Eqx) 

E h x.A 
E h x •*-*■ x : A 



(Eq trans) 

E\- a <-> b : A 



EVb^c :A 



E\- a <-> c : A 

(Eq collapse) 

E\- a : Top E\- b : Top 
E\- a <-> b : Top 



(Eqfun) (Eqappl) 

E,x:A h b<-^b' : B EV b^b' : A^B EV a* 



E h X(x:A )b l(x:A )V : A-*B E h b(a) <-*■ b'(a') : B 

(Eq appl2) 

(Eqfun2) E\- b'^b" : V(X<:A)B E\-A'A"<-A 

E,X<:A h b*->b' :B E\- BfX^A'J, B{X^A"J <: C 



E h X(X<:A)b X(X<:A)b' : V(X<:A)B E h b'(A') b"(A") ■ C 

(Eq eta) (Eqetal) 

EVb^b' : A^B y^dom(E) EV- b ** V : V(X<:A)B Ygdom(E) 



E h My: A )b(y) ** V : A^B EV X(Y< :A )b(Y) b ' : V(X< :A )B 

( Eq beta) ( Eq beta2 ) 

E,x:A\- b ** V : B E\- a a' : A E,X<:A\- b ** b'.B E\-A'<:A 



E\- (X(x:A)b)(a) b'fx^a'J : B E\- (X(X<:A)b)(A') ^ b'{X*-A'J : B(X*-A'} 



2.3 Basic properties 

We now state some basic lemmas about F <: derivations. Most of these are proven by 
(simultaneous) induction on the size of the derivations; the proofs are long, but 
straightforward if carried out in the order indicated. We conclude the section with an 
application of these lemmas, showing that typing is preserved under (3 -T| -reductions. 

Notation 

Let $ stand for either C type, C<:C, c:C, or c^c':C. 

Lemma (Renaming) 

Assume Y£dom(E,X<:D,E') 

h E,X<:D,E' env => h E,Y<:D,E'{X<—YJ env (equal-size derivations) 
E,X<:D,E'\-$ => E,Y<:D,E'{X^YJ\- ${X^YJ (equal-size derivations) 

Assume yf£dom(E,x:D,E') 

h E,x:D,E' env => h E,y:D,E' env (equal- size derivations) 
E,x:D,E ' h ■& => E,y:D,E'\- ${x*—y} (equal-size derivations) 
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Lemma (Implied judgments) 

(■&/env) h E,F env => h E env 

E,F\- $ => h £ env 
(env/type) h E,X<:D,E' env => E\- D type 
h E,x:D,E' env => £hD fype 

Lemma (Bound change) 

V- E,X<:D',E' env, E\-Dtype => h E,X<:D,E' env 
E,X<:D',E'\- Ctype, Eh D type => E,X<:D,E' \- C type 

Lemma (Weakening) 

Let stand for either X<.\D or x\D. 
Assume h isjE? env, andZ,x^<iom(£"J 

h E,E' env => h E,fi,E' env 

E,E'V- 0 => £,j3,£'h 0 

Lemma (Multiple weakening) 

Assume \- E,F env and dom(F)ndom(E')=0. 
h £■,£" env => h E,F,E' env 
E,E'\- # => E,F,E' h 0 
Proof Induction on the length of F. □ 

Lemma (Implied judgments, continued) 

(sub/type) E h C<:C => £hC fy/>e. E h C fyp<? 

Lemma (Bound weakening) 

Let </?,/?'> stand for either <X<:D,X<:D'> or <x\D,x\D'>. 
Assume E\- D'<:D. 

\-E,J3,E'env => V E,fi\E' env 

E,fi,E'V- $ E,J3',E'\-$ 

Lemma (Type substitution) 

Assume E\- D'<:D; then 

h E,X<:D,E' env => h E,E'{X^D'J env 
E,X<:D,E'\-$ =±> E,E'{X^D'J h ${X^D'} 

Lemma (Value substitution) 

Assume £ h <i.\D; then 

h E,x:D,E' env h £,£" env 
E,x:D,E' hi? h tffc^d; 

Lemma (Value strengthening) 

Assumed FV(&); then, for tf* c^c':C. 
h E,x:D,E' env => \- E,E' env 
E,x:D,E'\- E,E'\- 



Lemma (Implied judgments, continued) 
(val/type) E\- c : C => E\- C type, 
(eq/val) E h c^c' : C => E\- c : C, EV c' : C, 

Lemma (Eq subsumption) 

E\-c^c':C, E\-C<:D EY- c^c' : D 

Proof 

By sub/type lemma, E\- C type. Take x^dom(E). 
Then h E,x:C env and E,x:C\- x:C. 
By weakening lemma E,x:C\- C<:D 

By (Subsumption) E,x:C h x:D, and by (Eqx), E,x:C \~x<-^x:D. 

By (Eqfun), E\- X(x:C)x<->A(x:C)x : C^D. 

By hypothesis and (Eq appl), E h (2j(x:C)x)(c)<^(?l(x:C)x)(c') : D 

By (Eq beta), E h (A(x:C)x)(c)^c' : D. 

By (Eq symm) (Eq beta), E h (A(x:C)x)(c')^>c : D. 

Hence by (Eq symm) (Eq trans), E h C<->c' : D. □ 

Lemma (Implied judgments, continued) 

(val/eq) EV c : C => E h c^c : C 

Lemma (Congruence) 

E V- d^d' : D a E,x:D,E' h c:C => 
E,E'\- c{x^dJ^c{x^d'J : C 

Lemma (Exchange) 

Let fi stand for either X<:D or x:D. 
Let fi' stand for either X'<:D' or x':D'. 
Assume h E,fi' env. 

h E,fi,fi',E' env => h E,fi',fi,E' env 

E,J3,fi',E' \- $ E,fi',fi,E'V- 

Lemma (Substitution exchange) 

Let fi stand for either x'.D' or X'<:D'. 

h E,X<:D,fi,E' env => h E,fi{X^D},X<:D,E' env 
E,X<:D,fi,E'V- Ctype => E,fi(X^D},X<:D,E'V- C type 

The following two lemmas draw conclusions about the shape of terms and derivations 
from the fact that certain subtyping and typing judgments have been derived. 

Lemma (Subtyping decomposition) 

• If E h A<:X, then A=Y] for some type variable Yj 

and either Yj=X, or for some n>l, Yj<:Y 2 eE ... Y n <:XeE. 
. If E,X<:B,E' V- X<:A, then either A=X or E,X<:B,E' h B<:A. 
. HEY- Top<:A, then A=Top. 
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. lfE\-B'->B"<:A, then either A =Top 

ovA=A '—>A ",E\-A '<:B ' and E h B "<:A ". 
. If E\-A<:B'^B", then 

either A=A'^A " for some A A ", with E h B < :A ' and E h A "< :B " 
or A=Xj and for some A',A",n>T. Xj<:X 2 e E .. X n <:A'^A" e E 
with E h 5 '< :A ' and £ h A "< .5 ". 
. If £ h \/(X<.fl')fl"<.A, then either A=Top 

or A = \/(X< . A 'JA ", £ h A '< :5 ' and E,X< :A' h B"< :A ". 
. If£hA<.-\/fX<:5'J5", then 

either A = V(X< :A ')A " for some A ', A ", 

with £ h B'<:A' and £,Z< :5 ' h A "< :fi " 
or A=Xj and for some A',A",n>l: Xj<:X 2 e E .. X n <: V(X<:A')A" e E 
with E h B'<:A' and £,X<:5'h A"<:5". 
Proof (sketch) 

All cases are proven by induction on the size of the derivations, in order to 
circumvent the (Sub refl) and (Sub trans) rules that do not follow the structure of terms. 
Otherwise the proofs are straightforward. □ 

Lemma (Typing decomposition) 

• If E,x:D,E' h x:C, then E h D<:C. 

. If £ h top: A, then A=Top. 

. If E V- X(x:B ')b : A, then either A = Top, 

or, for someA',A",fl", A=A'^A" 

with E \-A'<:B', E h B"<:A", and E,x:B'Vb : B". 
. If £ h Z?fc ) : B" then for some B ', 

£h^:5'^5"and£hc.-5'. 
. If E V- l(X<:B ')b : A, then either A =Top, 

or, forsomeA',A",5", A=\/fZ<.A'JA" 

with E \-A'<:B', E,X<:A' h 5"<.A", and E,X<:B' h ^ : 5". 
. If £ h CJ : D then for some B ',B",X, 

E h C<:B', E V- B"{X^CJ <: D, and E \~b : V(X<:B')B". 
Proof (sketch) 

All cases are proven by induction on the size of the derivations, in order to 
circumvent the (Subsumption) rule that does not follow the structure of terms. 
Otherwise the proofs are straightforward. □ 

We conclude with a proposition about the preservation of typing under (3 and T| 
reduction. The second-order T| case is by far the hardest, and it requires the following 
lemma about the elimination of unused free variables (FV ). 
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Lemma (Non-occurring type variable) 

IfXfLFV(cE') and E,X<:D,E' he: C then for some C 0 with XfLFV(C 0 ) 
E,X<:D,E'\-c : C 0 and E,X<:D,E' h C 0 <:C 

Proof 

By induction on the derivation of E,X<:D,E' h c : C. The interesting cases are (Val 
appl) and (Val appl2), where we use the subtyping decomposition lemmas for -» and \/. 
We show the (Val appl2) case, where we have: 

c=b(A'), C=B(Y^A'} (forY£dom(E,X<:D,E')) 
E,X<:D,E' h b : V(Y<:A )B, E,X<:D,E' h A '<:A . 
Since X^FV(b), by induction there is a type AB 0 with Xf£FV(AB 0 ), and 

E,X<:D,E' h Z> : Afl 0 , E,X<:D,E' h Afl 0 <: \/(T<:A)fi. 
By the (subtyping decomposition lemma) A5 0 =\/(Y<:A 0 ).B 0 with: 
either AB 0 =V(Y<:A 0 )B 0 for some A 0 ,B 0 , 

with E,X<:D,E' h A<:A 0 and E,X<:D,E', Y<:A 0 h 5 0 <:5. 
Hence, Z^ J Fyf\/(y</A 0 J5 0 J, E,X<:D,E'\~b : V(Y<:A 0 )B 0 
or AB 0 =Xj and for some Aq,Bq,u>1 : 

Xj<:X 2 e E,X<:D,E' ... X n <:V(Y<:A 0 )B 0 e E,X<:D,E' 

with E,X<:D,E' h A<:A 0 and E,X<:D,E',Y<:A 0 h 5 0 <:5. 
If X n <: \/(y<.A 0 J5 0 e £; X^FVf \/f y<.A 0 )%) since X comes after £. 
If X n <: V(Y<:A 0 )B 0 = X<:D; X^FV(D= V(Y<:A 0 )B 0 ). 
UX n <:V(Y<:A 0 )B 0 e E'; X£FV(V(Y<:A 0 )B 0 ) by the hyp. XgFV(E'). 
By n uses of (Subx) and (Subsumption), E,X<:D,E' h b : V(Y<:Aq)Bq. 
Hence, in both cases, by (Sub Trans), E,X<:D,E' h A ' <: A 0 , 
and E,X<:D,E' h Z>(A'J : B 0 {Y^A'}, with X£FV(B 0 (Y^A'}), 
Moreover, from E,X<:D,E', Y<:A 0 h 5 0 </5 
by (bound weakening lemma) E,X<:D,E',Y<:A' h 5 0 <:5 
and by (type substitution lemma) E,X<:D,E'\- B 0 {Y^A'}<:B{Y^A'}. 
Hence we can take Cq = B 0 {Y<—A'J. □ 

Proposition (Preservation of typing under fi-TJ-reductions) 

((31) E\-(X(x:B)b)(c):A E\~b{x^c}:A 
(Til) £h Afx-5JcW /A, ^FVfcJ => £hc:A 
((32) £ h (X(X<:B)b)(C) :A £ h b{X^C} : A 
(r|2) E\- MX<:B)c(X) : A,XfLFV(c) => E\- c : A 
Proof 

The first three cases are obtained easily by applying the appropriate decomposition 
lemmas, along with weakening, bound weakening, value and type substitution, and value 
strengthening. 

The (r|2) case goes as follows. From E h X(X<:B)c(X) : A by the (typing 
decomposition lemma) for fun2 and appl2, we obtain (omitting the easy case of A=Top ), 
for some A',A",B",Y,C',C": 
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AeeV(X<:A')A" with E\-A'<:B\ E,X<:A' \-B"<:A", and E,X<:B'\~c(X) : B" 

E,X<:B'\-c: V(Y<:C')C" with E,X<:B' \-X<:C and E,X<:B' \-C"{Y<—XJ <: B". 
Since X^FV(c), by the (non-occurring type variable) lemma there is a D with: 

X^FV(D) and E,X<:B' \- c : D, E,X<:B' h D <: \/(T<:C')C" 
Using the (subtyping decomposition lemma) on D we obtain two subcases that, for some 
D',D", both lead to: 

E,X<:B' V- c : V(Y<:D')D", X{FV(V(Y<:D')D") 

with E,X<:B'V- C'<:D' and E,X<:B',Y<:C \- D"<:C" 
By the (type strengthening lemma) from E,X<:B' h c : V(Y<:D')D": 

E\-c: V(Y<:D')D" i.e. E\~c : V(X<:D')D"{Y^XJ 
Now, to obtain the final goal E\- c : V(X<:A')A" via subsumption, we need to show only 
that£h V(X<:D')D"{Y^X}<:V(X<:A')A", i.e. that: 

(1) E\-A'<:D' 

(2) E,X<:A'\-D"{Y^XJ<:A" 

For (1) we use the (type substitution lemma) to get: 

E \-B'<:C'{X*-B'} (from E,X<:B' \-X<:C) 

E \-C'{X^B'J<:D'{X^B'J=D' (from E,X<:B' h C'<:D') 
Hence E h A'<:B'<:C'{X^B'J <: D'. 
For (2) we use the (bound weakening lemma) twice to get: 

E,X<:A',Y<:X\- D" <: C" 

(from E,X<:B',Y<:C h D" <: C", E,X<:B' h X<:C, £ h A'</5') 
from this by the (type substitution lemma) 

E,X<:A' h D"{Y^XJ <: C"(Y^XJ 
We also have, by the (bound weakening lemma): 

E,X<:A' h C"{Y^XJ <: B" (from E,X<:B' h C"{Y^XJ <: B", E h A'<:B r ) 

Finally: £,Z<:A' h D"{Y^XJ <: C"{Y^XJ <: B" <: A". □ 

Note that this proposition is nontrivial; for example, the ((31) case does not follow 
simply from the (Eq beta) rule and the eq/val lemma. Moreover, the derivation of E h 
b{x<—c} : A will have, in general, quite a different shape than the derivation of E h 
(X(x:B)b)(c) : A. 

2.4 Derived rules 

Most of the lemmas in the previous section can be written down as derived inference 
rules. Here we discuss some derived rules of special significance. 

First, the eq-subsumption lemma in the previous section gives us a very interesting 
rule that lifts subsumption to the equality judgment. We remark that this is proven via the 
(Eqbeta) rule. 
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(Eq subsumption) 
E\-a^a':A E\- A <: B 

E h a <-*■ a' : B 

Note that, in general, it is not true that E h a <-*■ a ' : B and E h A <: B imply E h 
a <-> a ' : A. 

The following two lemmas concern the equivalence of functions modulo domain 
restriction; the first one will find a useful application in section 3.1. 

Lemma (Domain restriction) 

Iff: A—>B, then/is equivalent to its restriction/ 1^' to a smaller domain A '<:A, when 
they are both seen at type A'— That is: 

(Eqfun') 

E\-A'<:A E\-B<:B' E,xA h b<->b' : B 
E h l(x:A)b ^ X(x:A')b' : A'-*B' 
Proof (sketch) 

First derive E\- X(y:A')(X(x:A)b)(y)<-*'A(x:A')b' : A'—>B' via (Eq-subsumption) 
and (Eq beta). Then pass fromi? h X(x:A)b <-*■ X(x:A)b : A^B to 
E\- X(x:A)b <-*■ X(x:A)b : A' '—>B' by (Eq subsumption), and to 
E h X(y:A')(X(x:A)b)(y) ^ X(x:A)b : A'^B'by (Eq eta). 
Conclude by transitivity. □ 

Lemma (Bound restriction) 

Iff: V(X<:A)B, then /is equivalent to its restriction/ 1^' to a smaller bound A'<:A, 
when they are both seen at type V(X<:A')B. That is: 

(EqfunT) 

E\-A'<:A E,X<:A'\- B<:B' E,X<:A h b<->b' : B 
E\-X(X<:A)b ^ X(X<:A')b' : V(X<:A')B' 

Proof 

Similar to the previous lemma, using (Eq beta2) and (Eq eta.2). □ 

We now turn to the (Eq appl2) rule. This rule asserts that if a polymorphic function b : 
V(X<:A)B is instantiated at two types A'<:A and A"<:A, then both instantiations evaluate 
to the same value with respect to any result type that is an upper bound of B{X<—A'} and 
BfX^A"}. 

(Eq appl2) 

E\- b'^b" : V(X<:A)B E\- A'<:A E\-A"<:A 
E h B{X*-A'}<:C E h B(X^A"J<:C 

EVb'(A') ^b"(A") • C 
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Note that this rule asserts that the result of b(A) is independent of A, in the proper result 
type. 

A simpler derived rule (used in F< [CG 91]) is obtained by setting A '=A": 

(Eqappl2A'=A") 

EVb'^b" :V(X<:A)B E\-A'<:A 
El-b'(A') *-* b "(A ') : B{X*-A '} 

However, the (Eg appl2) rule is most useful when AVA" and we can find a nontrivial 
upper bound to B{X<—A'J and B{X<—A"J. This fact motivates the following derived rule, 
which is often used in practice. 

Denote by B{X'<—C,X + <—DJ the substitution of C for the negative occurrences of X 
in B, and of D for the positive ones. Take A'<:A" (<: A), then we have: 

B{X^A'J = B{X'^A',X + ^A'J <: B{X'^A',X + ^A"J 
B(X^A"J = B{X'^A",X + ^A"J <: B{X~*-A',X + ^A"J 

(A proof of this may be found in [Ghe 90], section 14.3.) Hence, for A'<:A"<:A we have a 
(nontrivial) common supertype for B{X<— A'} and B{X<—A"}. This fact then justifies the 



(Eq appl2 -+) 

EVb'^b" : V(X<:A)B E\- A'<:A"<:A 
E\-b'(A')**b "(A ") :B{X~ <—A \X + <—A "J 

This rule is in fact a special case of dinaturality of type application [BFSS 90], where 
the dinaturality is required only with respect to coercions A'<:A" , for all A', A" subtypes 
of A. We have the diagram: 



The two arrows on the left are the A' and A" instances of generic type application x(X), 
where x is a variable of type V(X<:A)B, and B might have the type variable X free. The 
two arrows on the right are coercions induced by A'<:A". Here V(X<:A)B is constant in 
X, so the coercion A '< :A" has no effect on this type. Hence the diagram above is just a 
brief version of: 



rule: 



B{X^A'J 




B(X^A"J 
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V(X<:A)B 



► B(X^A'} 




B{X'^A',X + ^ 




V(X<:A)B 



A"} 





V(X<:A)B 



► B{X^A"J 



where now the two horizontal arrows are the A' and A" instances of x(X). In the 
terminology of [BFSS 90, p.42], the family given by {x(X)\X<:AJ is dinatural in the 
coercions. 

We conclude this section with an application of (Eq appl2), which is used in sections 
3.3 and 4. 

Proposition ( Eq-substitution ) 

Assume E,X<:A,x: S h b:B and X positive in S and B . 

If E V- Aj,A 2 < A,E\- sj.SfX^Ajj, E h s 2 :S{X^A 2 J, E h sj^s 2 :S{X^AJ 
then E h b{X^A 1 ,x^s 1 J^b{X^A 2 ,x^s 2 J: BfX^AJ 



(2) E h M(A 2 )(s 2 ) ~ M(A)(s 2 ) : B{X^A} 
similarly to (1). 

(3) E h M(A )(sj) ^ M(A )(s 2 ) : B{X<—A } 

by (Eq appl2) and (Eq appl), since E h sj<-^s 2 :S{X<—AJ. 

Conclude by (Eq trans), (Beta2), and (Beta). □ 

The proposition can be easily generalized to the case where there are several variables 
xj: Sj,..., x n : S n (X positive in all of them) and terms E\- sf 
S{X^A j},..., E\- s n :S{X^A n j , with E h A h . . .,A n < ■ A and E hsj<^... **s n :S{X^A J . 

2.5 PER semantics 

For the PER semantics, the reader can consult [BL 88], [CL 90], [Ghe 90], and [See 90]. 
The interpretation of F < . in PER is explained in those papers, except that the rule (Eq 
appl2) must be shown sound. The proof rests on the fact that, given types V(X<:A)B and 
A'<.A and denoting with f_J the interpretation function for types, we have IV(X<:A)B] 
cr IB{X*—A'}1. From this, and the observation that the interpretation for terms is given by 
erasing the type information, the conclusion is straightforward. 



Proof 



Let M ± MX<:A)l(x:S)b. Then E h M: V(X<:A)S-*B. Now prove: 
(1) E h M(A j)(s j) ~ M(A)( Sl ) : B{X^A}, 

by (Eq appll) and (Eq appl), since X is positive in S and B. 
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2.6 Conservativity of typing 

Besides the presence of subtypes, the main new feature of F < . with respect to F lies in 
its equational theory, which extends the standard (3-T| equality in two directions, by 
adding a terminal type Top and introducing the rule (Eq appl2). Besides nonessential 
syntactic variants, the language of F is included mF <: , s language and thus it makes sense 
to investigate whether F < . is conservative over F. We may, however, consider also an 
"intermediate" system between F and F <: , with the property that the language inclusion 
of FintoF <; "splits". 

The system we are interested in is Fj , obtained by adding to F the type constant Top, 
together with rule (Eq collapse) for making Top a terminal type. If we want to compare F <: 
with its underlying subtype-free systems, we need a system such as F j , and not F, since 
it is well known that the terminal type is not definable in F. Moreover, the conservativity 
result we will prove with respect to F holds because F <: proves only trivial subtype 
judgments between F types, while the situation for Fj is more complex and its analysis 
sheds some more light on the structure of subtype proofs. 

First of all, the equational theory (**) of F <: is not conservative overF, because of 
the rule (Eq appl2). Consider, for example: 

Proposition 

EV- B type, EV- c : V(X)K—B, E\- a : A 
=> E h c(Top )(top )**c(A)(a):B 

Proof 

E h c(Top)(top) <-> c(Top)(a) : B val/eq lemma (Eq appl2) (Eq collapse) (Eq appl) 
E h c(Top )(a) «-» c(A)(a) : B val/eq lemma (Eq appl2) (Eq appl) 
E h c(Top)(top) c(A)(a) : B (Eq trans). □ 

By applying this fact twice via (Eq trans) we can show: 

y : V(X)X^Bool\-y(Bool)(true) ** y(Bool)(false) : Bool 

which is an F-judgment equating two different |3-r| -normal forms. It is well known that 
no such judgment is derivable in F. A further application of (Eqfun) produces two closed 
terms with the same property. 

As for the typing theory, however, F < . , s rules are designed to maintain and carefully 
generalize those of its subsystems. Writing hp for derivations in F, \-j for derivations in 
Fj , and h <; for derivations in F <: , we can prove the following result. 

Theorem 

(i) If E h <; a : A, where E, a, and A are in the language of F, 

then E\~ F a : A. 

(ii) If E h <; a : A, where E, a, and A are in the language of Fj , then there 
exists an i^-term, al, such that E \-j al : A and E h <; a<->al : A. 
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The proof of these statements (inspired by some results in [Ghe 90]) requires a detour on 
normal form proofs in F < . . These normal forms are studied in [CG 91] for a slightly 
different system, but they share with F < . the same typing judgments. The reason for the 
detour is that trivial proofs by induction on the derivation of E\- < . a : A do not work, 
since F < . has "cut rules" (e.g. (Subsumption), (Sub Trans), or (Val applf) that may introduce 
non-i 7 (or non-F;) types. 

2.6.1 Normal and minimal proofs in J F < . 

In F <: a single typing judgment may have many proofs. The non-determinism of the 
proof search arises from the freedom in the order in which the rules (Subsumption) and (Sub 
trans) can be applied. However, as showed in [CG 91], this freedom does not provide 
additional proving power. In subtype proofs we can do without (Sub trans) except for the 
uses where the first (i.e., smallest) type is a variable appearing in the environment. In type 
proofs, we can restrict the use of (Subsumption) so as to derive only the least type for a 
given term, which may be then given a larger type with a single, last application of 
(Subsumption). These ideas are the inspiration for the notions of normal and minimal 
normal proofs. 

Subtype proofs 

A normal form proof of E \- <: A<:B is a proof E \~ n fA<:B obtained in the formal 
system h„y consisting of the rules (Sub Top), (Sub ->), (Sub V) (where h <; is replaced by 
h„y), plus the following rules: 

(Sub Refl-X) (Sub Trans-X) 

E\- nf Xtype E',X<:B,E" \~ nf B <: A A^Top 

E \- nf X <: X E',X<:B,E" V nf X <: A 

Type proofs 

Normal form proofs and minimal normal form proofs of E h< a : A are 
simultaneously defined as follows. 

A normal form proof E \~ n fa : A is either (1) a minimal normal form proof E \~ mn fa : 
A, or (2) a minimal normal form proof followed by a single nontrivial use of 
subsumption; in this case the final step has the form: 

E\- mn fa:A' E\~ n fA'<:A where A '^A . 

E\- nf a : A 

A minimal normal form proof E \~ mn fa : A is a proof using only the rules: (Val x), (Val 
top), (Val fun), (Val fun2) (where h <; is replaced by h mn y), or one of the two rules below, 
which use the following notation: 

. E(X)=A if E=E1,X<:A,E2. 
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E*(C). 
E*(X) 
E*(X). 



= C if C is not a variable; 
=E(X) if E(X) is not a variable, 
=E1*(E(X)) if F(%) is a variable andF=Fi,X<:A,F2. 



(Va/ appl-min) 

E\- mnf b:C E\- nf a:A E*(C)=A->B 
E ^mnf b (a) : B 

(Val appl2-min) 

E\- mnf b:C E\- nf A'<:A E*(C)=V(X<:A)B 
EV mnf b(A'):B{X^A'} 

Proposition 

For any provable judgment E h <; a : A, there exists a unique derivation 
of E\- n fd : A. 
Proof [CG91] □ 

2.6.2 F < . typing is conservative over F typing 

It is not difficult to see F as a subsystem of F <: . We can define a translation function 
Tover the language of F so that: 

T(VXA) = V(X<:Top) %(A) 
t(AX.M) = l{X<:Top) t(M) 

and which is trivially defined on all the other constructs. A well-formed environment E in 
F consists of a collection El=X],...,X h of type variables and a list E2=xf S], . ..,x h : S h 
of type assumptions, where at most the type variables in El can appear free. Then: 

T(E) = Xj<:Top, X h <:Top, xj:t(Sj), x h :z(S h ). 

From this, it is almost obvious that F-derivations E \~ F a:A and E \~ F a<->a':A are mapped 
to i 7 ^. -derivations x(E) h x(a):x(A) and t(E) h i(a)^T(a'):i(A) with the following 
properties. The resulting derivations never use (Subsumption) (and thus subtyping rules) or 
Top rules, and (Eq appl2) is always applied in its special case when A =A" and 
C=B{X<—A'J. In the following we will argue directly in the language of F <: (thus 
dispensing with t). 

Lemma 

Let E be an F-environment, and let A and B be F-types. 
E\- <: A<:B iff A=B. 
Proof 

The "if direction is a routine induction. For the other direction, take the normal form 
proof of E h <; A<:B. Then, (Sub and (Sub V) proceed by induction, and (Sub Refl-X) is 
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trivial. For (Sub Trans-X), E \~ n fX<:A must have been derived from E',X<:Top,E" h„y Top 
<: A, but the latter implies A=Top by the subtyping decomposition lemma, which is 
absurd since A is an F-type. □ 

Lemma 

Let E be an F-environment, a be an F-term, and let E \- mn fa : A. Then A is an F-type 
andF \~ F a : A. 
Proof 

By induction on the derivation E \- mn fd : A. 

(Valx) E',x:A,E" \~ mn fX : A. 

Then A is an F-type, since E is an F-environment. 

(Val fun) The last rule is: 

E,x:A \- mnf b : B 
E\- mnf X(x:A)b : A^B 

By hypothesis, X(x:A)b is an F-term and therefore A is an F-type. 
By induction hypothesis, B is an F-type andF,xvi \~ F b : B. 

(Valfun2) is analogous to (Val fun). 

(Val appl-min) The last rule is: 

E\- mnf b:C E\- nf a:A E*(C)=A^B 
E\- mnf b(a) : B 

Consider first the premise E \~ mn fb : C. 

We show that C cannot be a variable. Indeed, if it were the case that 

C=X, then E*( C)=E(X)=Top, since E is an F-environment, contrary to 

the side-condition that E*( C) has to be a function type. 

Therefore C is not a variable, and E*( C)=C=A—>B. 

By induction hypothesis, A— *5 is an F-type and E\~ F b : A—* 5. 

Consider now the proof E \~ n fa : A. We claim it is actually 

a minimal normal form proof. In fact, we already proved that A— *5 is 

an F-type; hence A is an F-type. If it were the case that the last step of 

the proof E \~ n ta : A is 

E\- mnf a:A' E\- nf A'<:A 
E \- n fCi : A 

with A'^A, then, by induction hypothesis, A' would be an F-type 
andA'=A by the previous lemma. Hence the proof E \~ n fa : A is a 
minimal normal proof E \~ mn fa : A and, by induction hypothesis, 
E\~ F a : A. 
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(Val appl2-min) The last rule is: 

E\- mnf b:C E\- nf A'<:A E*(C)=V(X<:A)B 
EV mnf b(A'):B{X^A'} 

Note first that since b(A') is an F-term, A' is an F-type. As in the 
previous case, C cannot be a variable, and C= V(X<:A)B. 
By induction hypothesis, V(X<:A)B is an F-type (thus A=Top, making 
trivial the other premise E \~ n fA' <: Top) and E\~ F b : V(X<:Top)B. 
Then E \~ F b(A ') : B{X^A '}.U 

Theorem (Conservativity of typing over F) 

Let E be an F-environment, a be an F-term and A be an F-type. 
E\- < .a:A => E\~ F a:A 

Proof 

Consider the unique normal form proof E \~ n fa : A. 
If its last step is: 

EV mnf a:A' EV nf A'<:A 

E\- nf a:A 

with A'^A, then, by the previous lemma, A ' would be an F-type 
and A'=A by the other lemma. The proof E\~ n ^a : A is then a proof 
E \~ mn fa : A; the previous lemma allows us to obtain the conclusion. □ 

2.6.3 F <M typing is conservative "modulo an equality" over F\ typing 

As in the case of F, system Fj can be easily viewed as a subsystem of F < . . Consider 
the subsystem of F <: obtained by: restricting (Env X) to the case where A=Top, dropping 
all the subtyping rules but (Sub Top), removing (Subsumption), and restricting (Eq apptt) to the 
case where A =A" and C=B{X<— A'}. We will therefore identify Fj with this subsystem 
and write \-j for Fj -derivations. 

The reason why the typing theory of F <: is conservative over that of F (expressed in 
the first lemma of the previous subsection) is that only trivial subtype judgments E h <; 
A<:B with A=B can be proved when A and B are F-types. The situation for i^-types is 
more interesting, since, due to (Sub Top), nontrivial inclusions can be proved. 

A first remark is that the typing of F <: is not conservative over that of F f 

X<:Top,x:X h <; x:Top 
but, of course, 

—i (X<:Top,x:X\-j x:Top) 
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This failure is, indeed, one of the pragmatic reasons (from the programming language 
design viewpoint) for introducing (Subsumption), since this is the mechanism by which a 
program (method, function, . . .) can be inherited in other types. 

We can look, however, for conservativity modulo an F K . -equality. If E\- < . a : A, 
where E, a, and A are in the language of Fj , then there exists an Fj-term, al say, such 
that E \-j al : A and E h <; a<->al : A. In the example above, it is obvious that 
X<:Top,x:X \-j top:Top andX<:Top,x:X \-j x<->top:Top, by (Eq Top). 

We start with some preliminary lemmas. Let 

id = l{X<:Top)l{x:X)x 

Lemma (Identity coercions) 

Let E be an Fj -environment, A and B be F/-types, and E h< . A<:B. Then there exists 
an Fj-term k A B such that: 

E \-j k AB :A^B and E h <; k AB <^>id(A) : A^B. 

Proof 

By induction on the normal form proof E \~ n fA<:B. 

Note first that (Sub Trans-X) cannot be the last rule of such a proof, 

because its premise would be E',X<:Top,E" \~ n fTop <: A (since E is an 

-environment), which would imply A=Top by subtyping decomposition 
lemma, which is impossible because of the side condition requiring A^ Top. 
In the other cases, we take k A B as the (inductively defined) 
explicit coercion between A and B. Details are as follows. 

(Sub Refl-X) is trivial. 

(Sub Top) E h <; A<:Top. Take then k A j op = X(x:A)top. 

Rules (Eq collapse) and (Eqfun) give E h <; k A j op <->id(A) : A—>Top. 

(Sub — ) Define k A ^ B ^^. B < = X(f:A-^B) k BB < °/° k A > A . 
From E \- n fA—>B <: A'— by induction hypothesis 
and an easy argument: 

Ef.A^B h <; Mx:A')k BB ,(f(k A , A (x))) - Mx:A')f(x) : A'^B' 
by (Eq eta) and transitivity: 

Ef.A^B h <; X(x:A')k BB {f(k A , A (x)))^f : A'^B' 
by (Eqfun): 

£h<. X(f.A^B)A(x.A')k BB {f(k A . A (x))) 

~ Mf:A->B)f : (A^B)^(A'^B') 

(Sub V)E\- nf V(X<:A)B <: V(X<:A ')B ' where A =A '=Top because 
both V(X<:A)B and V(X<:A')B' are F r types. Let: 

C=V(X<:Top)B and C'=V(X<:Top)B' 
and define: 

k c ,c = Mx:C)%X<:Top)k BB ,(x(X)) 
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From E \~ n fC <: C, by induction and an easy argument 

E,x:C h <; X(X<:Top)k BB {x(X)) %X<:Top)x(X) : C 
by (Eq eta2) and transitivity 

E,x:C h <; X(X<:Top)k B B ,(x(X)) x : C 
and hence the thesis, by (Eqfun). □ 

Lemma 

Let E be an Fj -environment, a an F;-term and E \~ mn fa : A. Then: 

(i) A is an F^-type 

(ii) there exists an i^-term al such that E \-j al : A and E h <; a<->al : A 
Proof 

By induction on E \~ mn fa : A. 

(Valx) E',x:A,E" \~ mn fX : A. Then A is an i^-type, since E is an 
Fj -environment and al=x; the conclusion (ii) follows by (Eqx). 

(Vol top) E \~ mn ftop : Top. Then also E h; top : Top and we can take al=top. 

(Vol fun) The last rule is: 

E,x: A \- mnf b : B 
E \- mn fX{x:A)b : A^B 

By hypothesis, X(x:A)b is an i^-term and therefore A is an F/-type. 
By induction hypothesis, B is an i^-type and there exists a term bl 
such that E,x:A \-j bl : B and E,x:A h <; b^bl : B. 
The thesis follows by (Eqfun). 

(Valfun2) is analogous to (Valfun). 

(Val appl-min) The last rule is: 

E\- mnf b:C E\- nf a:A E*(C)=A^B 
E\- mnf b(a) : B 

Consider first the left premise, E \~ mn fb : C. 

We observe that C cannot be a variable X. If it were, since 

E is an Fj -environment, we would have E*( C)=E(X) = Top, 

contradicting the assumption that E*(C)=A—^B. 

Thus, C=A— induction applies, A — *5 is an i^-type and 

we obtain an i^-term bl such that 

E \-j bl : A^B and E h <; b^bl : A^B. 
Consider now the other premise, E \~ n fa : A. 
If it happens to be a minimal normal form proof E \~ mn fa : A 
then by induction hypothesis we have a term al such that: 

E \-j al : A and E h <; a<->al : A. 
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Otherwise, the last step of E \~ n fa : A is: 

Eh mnf a:A' Eh nf A'<:A 
E\- nf a:A 

By induction hypothesis, A ' is an F;-type and we get an F^-term a ' 
such that E\-j a '.A ' and E h <; a<-*a':A '. 

We already proved that A— *5 is an F;-type; hence A is an Fy-type. 
From E \~ n fA ' <: A, the identity coercions lemma gives an Fj 
term k A < A such that E \-j k^^:A'— >A and E h <; k A < A<->id(A') : A'— >A. 
Take then al=k A ' A (a'). Simple computations give: 

E \~i al : A and E h <; a<->al : A. 
Finally, by (Eq appl) 

E h 7 bl(al ) : B and E h <; bl(al ) ** b{a) : B. 

(Val appl2-min) The last rule is 

E\- mnf b:C E\- nf A'<:A E*(C)=V(X<:A)B 
Eh mnf b(A'):B{X^A'} 

Note, first, that since b(A') is an Fj-term, A' is an F;-type. 

As in the previous case, in E \~ mn fb : C, C cannot be a variable. 

Therefore, the left premise is E \~ mn fb : V(X<:A)B. 

By induction hypothesis, V(X<:A)B is an F;-type 

(thus A=Top and the second premise is trivial) 

and we have an Fy-term bl such that 

E\-j bl : V(X<:Top)B and E \- <: b**bl : V(X<:Top)B. 
Then EV 1 bl(A') : BfX^A'j and E h <; b(A')<->bl(A') : B{X<—A'J. □ 

We can finally prove our conservativity result: 

Theorem (Conservativity of typing over Fj ) 

If E h <; a : A, where E, a, and A are in the language of Fj , then there 
exists an Fy-term, al, such that E \-j al : A and E h <; a<->al : A. 
Proof 

Take the normal form proof E \~ n fa : A. If it is a minimal normal form 
proof, then the thesis follows by the previous lemma. If, on the other 
hand, it consists of a minimal normal form proof E \~ mn fa : A ' followed by 
subsumption with premise E ^~ n fA' <: A, then, by the previous lemma, 
A' is an F;-type and we have an F;-term, a', such that E\-j a' : A' and 
E h <; a<-^a' : A'. The thesis then follows by the identity coercions lemma 
and (Eq appl). □ 
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3. Expressiveness 

Since F <: is an extension of F, one can already carry out all the standard encodings of 
algebraic data types that are possible in F [BB 85]. However, it is not clear that anything of 
further interest can be obtained from the subtyping rules of F < . , which involve only an 
apparently useless type Top and the simple rules for -*■ and V. In this section we begin to 
show that we can in fact construct rich subtyping relations on familiar data structures. 



3.1 Booleans 

In the rest of section 3 we concentrate on inclusion of structured types, but for this to 
make sense we need to show that there are some nontrivial inclusions already at the level 
of basic types. We investigate here the type of booleans, illustrating some consequences 
of the F <: rules. 

Starting from the encoding of Church's booleans in F, we can define three subtypes of 
Bool as follows (cf. [Fai 89]): 

Bool = V(A)A->A->A 
True = V(A)A-> Top —>A 
False = V(A)Top^A^A 
None = V(A)Top^Top^A 

where: 

None <: True, None <: False, True <: Bool, False <: Bool 

Looking at all the closed normal forms (that is, the elements) of these types, we have: 

true Boo i : Bool = A(A) A(x:A) A(y:A) x 

false Bool : Bool = MA) %x:A) A(y:A) y 

truej rue : True = A(A) A(x:A) A(y:Top) x 

false f a i se : False = X(A) Mx:Top) X(y:A) y 

We obtain four elements of type Bool; in addition to the usual two, true Boo [ and false Boo [, 
the extra true True and false Fa i se have type Bool by subsumption. This is somewhat 
surprising because computationally there are only two booleans. Intuitively, if two 
arguments of an arbitrary type are given, there are only two ways of providing a result of 
that type. This coincides with the fact that by removing all the type information in the 
terms above, we obtain only two distinct untyped terms. Fortunately, we can show that 
true Boo i and true True are provably equivalent at type Bool, by using the domain restriction 
lemma (Eg fun') from section 2.4. 
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E,A<:Top,x:A,y:Top \- x ^ x : A E\- A<:Top 

E,A<:Top,x:A h X(y:Top) x X{y:A) x : A-^A (Eg fun') 

E,A<:Top h X(x:A) Xjy.Top) x ^ X(x:A) A(y:A) x : A— >A— >A 

E h X(A) X(x:A) Xjy.Top) x^XjA) X(x:A) X(y:A)x : V(A) A—>A—>A 

E h true True *-> true Bool : Bool 

Similarly, we can show that E h false Fa i se ** false Boo i : Bool. Hence, there really are 
only two different values in Bool; one value each in True and False , and none in None. 

3.2 Naturals 

The encoding of booleans in the previous section does not seem to generalize to other 
algebraic types. A different style of encoding (which can also be applied to booleans) 
works better for naturals. In the following encoding, Nat stands for the type of naturals, 
Nat z for the type of zero naturals (the singleton zero), and Nat s for the type of non-zero 
naturals. 

Nat = V(N)V(N Z <:N)V(N S <:N)N Z ^(N^N S )^N 
Nat z = V(N)V(N Z <:N)V(N S <:N)N Z ^(N^N S )^N Z 
Nat s ^ V(N)V(N Z <:N)V(N S <:N)N Z ^(N^N S )^N S 

The closed normal forms of minimal type for Nat are the usual Church numerals; for Nat z 
we have only the zero natural, and for Nat s the non-zero naturals. We obtain: 

Nat z <: Nat, Nat s <: Nat 

zero: Nat z = 

X(N) X(N Z <:N) X(N S <:N) X(z:N z ) X(s:N->N s ) z 

succ: Nat^Nat s = 
X(n:Nat) 

X(N) MN Z <:N) X(N S <:N) X(z:N z ) Xfs:N->N s ) 
s(n(N)(N z )(N s )(z)(s)) 

3.3 Products 

The standard encoding for pairs in F, shown below, already exhibits useful subtyping 
properties. 

AxB = V(C)(A^B^C)^C 

Both A and B occur in monotonic positions in AxB, being placed on the left of an — * 
which is on the left of another — * . Hence we obtain the expected monotonic inclusion of 
products as a derived rule: 
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E\-A<:A' E\-B<:B' 
E\-AxB <:A'xB' 

The operations on pairs are defined, as usual, as: 

pair: V(A) V(B) A—>B—>AxB 

= MA) MB) l(a:A) l(b:B) 1(C) %f:A—>B—>C)f(a)(b) 
fst: V(A)V(B)AxB^A 

= MA) MB) Mc:AxB) c(A)(Mx:A)My:B)x) 
snd: V(A)V(B)AxB^B 

= MA) MB) X(cAxB) c(B)(Mx:A)My:B)y) 

We often use the following abbreviations, disambiguated by context: 

a,b = a,A xB b = pair(A)(B)(a)(b) 

fst(c) = fst AxB (c) = fst(A)(B)(c) 
snd(c) = snd AxB (c) = snd(A)(B)(c) 

3.4 Simple tuples 

A tuple type is an iterated product type. When the last factor of this iterated product is 
a type variable, we have an extensible tuple type. When it is Top, we have a simple tuple 
type. In this paper we discuss only simple tuple types. 

Tuple(Top) = Top 

Tuple(A h ..,A n ,Top) = AjX(..x(A n xTop)..) n>l 

With derived rule: 

E\-Aj<:Bj .. E\-A n <:B n E\- A n+1 type .. E\- A m type 
E\- Tuple(Aj,..,A n ,..,A m ,Top) <: Tuple(Bj,..,B n ,Top) 

For example: 

Tuple(A, B, Top) <: Tuple(A, Top) 

because A <: A, BxTop <: Top, andx is monotonic. 

We note here that the type Top assumes a very useful role, in allowing a longer tuple 
type to be a subtype of a shorter tuple type. The intuition is that a longer tuple value can 
always be regarded as a shorter tuple value, by "forgetting" the additional components, 
and this is possible since everything is forgotten in Top. 

For tuple values we have: 

tuple(top) = top 

tuple(aj,..,a n ,top) = aj,(..,(a n , top)..) n>l 
with derived rules: 
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E\- cii : A] .. E\~a n :A n 
E\- tuple(aj,..,a n ,top) : Tuple(Aj,..,A n ,Top) 

E\-a 1 *-»b 1 :A 1 .. E\-a n ^b n :A n 

E\- tuple(cij,..,a n ,top) <-> tuple(b j,..,b n ,top) : Tuple(Aj,..,A n ,Top) 

The basic tuple operations are: aii, dropping the first i components of tuple a; and a.i, 
selecting the z'-th component of a. These are defined by iterating product operations; 
again, we omit some typing information: 

aLi = snd'(a) 

a.i = fst(ak) 

We obtain the derived rules: 

E\- a : Tuple(Ao,..,A n ,Top) n>0, ie0..n+l 
E\- aLi : Tuple(A iy ..,A n ,Top) 

E\- a : Tuple(A 0 ,..,A n ,Top) n>0, ie0..n 
E\- a.i : A ; - 

E h aQ : Aq .. E\- a n : A n n>0 
E\- tuple(aQ,..,a n ,top)Li *-* tuple(ai,..,a n ,top) : Tuple(Ai,..,A n ,Top) ie0..n+l 

E\- a 0 : Aq .. E\~a n :A n n>0, ie0..n 

E h tuple(a 0 ,..,a n ,top).i *-» : A ; - 

3.5. Simple records 

We restrict ourselves to the encoding of simple records (the ones with a fixed number 
of components [CL90]); extensible records are treated in [Car 91]. 

Let L be a countable set of labels, enumerated by a bijection ieL-^Nat. We indicate 
by with a superscript, the z'-th label in this enumeration. Often we need to refer to a list 
of n distinct labels out of this enumeration; we then use subscripts, as in lj..l n . So we may 
have, for example, l^l^h = l 5 M,l 17 - More precisely, stands for Z 0 ^,..,/ 0 ^ for some 
injective cel. .n-^-Nat. 

A record type has the form Rcd(lj:Aj,..,l n :A n ,C); in this presentation C will always be 
Top. Once the enumeration of labels is fixed, a record type is encoded as a tuple type 
where the record components are allocated to tuple slots as determined by the index of 
their labels. The component of label /' is allocated into the z'-th tuple slot; the remaining 
slots are filled with Top "padding". For example: 

Rcd(l 2 :C, l°:A, Top) = Tuple(A, Top, C, Top) 
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Since record type components are canonically sorted under the encoding, two record 
types that differ only in the order of their components will be equal under the encoding. 
Hence we can consider record components as unordered. 

From the encoding, we derive the familiar rule for simple records [Car 88] : 

E\-Aj<:Bj .. E\-A n <:B n E\-A n+1 type .. E\- A m type 
E\- Rcd(l]:Aj,..,l n :A n ,..,l m :A m ,Top) <: Rcd(lj:Bj,..,l n :B n ,Top) 

This holds because any additional field l^A^ (n<k<m) on the left is absorbed either by the 
Top padding on the right, if i(l k )<max(l(li)..l(l n )), or by the final Top, otherwise. For 
example: 

Rcd(l°:A, IhB, l 2 :C, Top) = Tuple(A, B, C, Top) 
<: Tuple(Top, B, Top) = Rcd(l 1 :B, Top) 

Record values are similarly encoded, for example: 

rcd(l 2 =c, l°=a, top) = tuple(a, top, c, top) 

from which we obtain the rules: 

E\-aj:Aj .. E\~a n :A n 
E h rcd(lj=aj,..,l n =a n ,top) : Rcd(lj.Aj,..,l n :A n ,Top) 

E\- aj*->a'j : Aj .. E\- a n ^a' n : A n 
E\- rcd(l i=aj,..,l n =a n ,top) *-* rcd(lj=a' j,..,l n =a' n ,top) : Rcd(lj:Aj,..,l n :A n ,Top) 

Record selection is encoded as follows: 
r.h ± r.ldi) 
E\- r : Rcd(l:A,Top) 
E\-r.l:A 

Note that, by subsumption, we have the following as (further) derived rules: 

E\-aj:Aj .. EVa n :A n .. E\-a m :A m 

E\- rcd(l]=a],..,l n =a n ,..,l m =a m ,top) : Rcd(lj:Aj,..,l n :A n ,Top) 

E\- aj<-^bj : Aj .. E\- a n <->b n : A n 
E h a n+1 : B n+1 .. E\-g p : B p E\- b n+1 : C n+1 .. E\- b Q : C Q 

E\- rcd(lj=aj,..,l n =a n ,..,l p =a p ,top) *-» rcd(lj=bj,..,l n =b n ,..,l q =b q ,top) 

: Rcd(l].Aj,..,l n :A n ,Top) 

E\- r : Rcd(lj:Aj,..,l n :A n ,Top) ieL.n 
Ehr.l^Ai 

The second rule above is particularly interesting. It expresses a form of observational 
equivalence: two records are equivalent if they coincide on the components that are 
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observable at a given type. This holds ultimately because any two values are equivalent at 
type Top. 

3.6. Lists 

Following the pattern used in the encoding of Naturals, we can define the algebra of 
parametric lists [BB 85]. List[A] stands for the homogeneous lists of type A. 

List[A] ± V(L)L^(A^L^L)^L 

We have: 

A<:B => List[A] <: List[B] 

nil: V(A)List[A] ^ 

MA) A(L) Mn:L) McA^L^L) n 

cons: V(A)A^List[A]-*List[A] = 
MA) Mhd.A) Mtl:List[A]) 
ML) Mn:L) McA^L^L) 
c(hd)(tl(L)(n)(c)) 

length: V(A) List[A]^Nat = 
MA) Ml-' List [A]) 

l(Nat)(zero )( Ma: A )X( n:Nat)succ( n)) 

As an application of (Eq appl2) we can now show some interesting facts. Namely, any 
two null lists are equal in List[Top], and have the same length in Nat. Similarly for two 
singleton lists, and so on. In the proof, we will use the Eq-substitution proposition of 
Section 2.4. 

Take b:B and c:C, then: 

h nil(B) nil(C) : List[Top] (Eq a PP l2) 

h length(Top)(nil(B)) length(Top)(nil( C)) : Nat (Eq apptt, Eq appl) 

h cons(B)(b)(nil(B)) ^ cons(C)(c)(nil(C)) : List[Top] 

by Eq-substitution, starting from 

X<:Top, x:X,l:List[X] h cons(X)(x)(l) : List[X] 

h length(B)(cons(B)(b)(nil(B))) ^ length(C)(cons(C)(c)(nil(C))) : Nat 

by Eq-substitution, starting from 
X<:Top, l:List[X] h length (X)(l) : Nat 

Note that we have proven an interesting property of the behavior of length uniquely 
from its type; any function// V(A) List[A]^Nat has such a property. This fact is related 
to the theorems proved in [Wad 89] using only the types of terms. A difference is that our 
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proof is carried out within F <: , whereas Wadler uses semantic parametricity properties 
beyond the proof system of F. 

4. The category of closed terms 

It is well known that the usual second-order encodings for products and coproducts, 
while logically sound, do not define under |3-r| -equality true categorical constructions. 
One can easily prove the existence of a term making a certain diagram commute, but its 
uniqueness does not follow from the standard equational rules. 

As an example of the expressive power of (Eq apptt), we show that those encodings are 
really categorical constructions when the underlying equational theory is the one of F K . . 
In the same vein, motivated by the semantic isomorphisms obtained in [BFSS 90] and [Fre 
91] as consequences of parametricity, we investigate some provable isomorphisms in a 
suitable setting. The framework for our discussion is a category whose objects are the sets 
of closed terms of a closed type. 

4.1 Definitions and basic properties 

Recall that given a typed X-calculus language and a X-theory T, a category Cl(T) is 
determined by taking as objects of Cl(T) the (closed) types of T [LS 86] [MS 89]. As for 
morphisms, choose first one variable for each type and define the morphisms from A to B 
to be equivalence classes of typing judgments x:A h t:B, where x is the chosen variable of 
type A, and the equivalence relation is given by the equality judgments x:A h t*->t':B of 
T. We will write [x.A h t:B] for the morphism given by the judgment x:A h t:B. Identity 
is given by [x:A h x:A] and composition is defined by substitution: 

[y:B h s:C] ° [x.A h t:B] = [x:A\- s(y^t}:C] 

The category Cl(F < .), obtained by applying this construction to F K . , has a terminal 
object, given by Top. For any object A, the canonical morphism from A to Top is [x:A h 
top:Top]; uniqueness is guaranteed by (Eq collapse). 

Now, given an arbitrary (small) category C with a terminal object 1, consider the 
canonical functor r J : C -> Sets given by: 

For any object A: 

A" 1 = Cf I, A ) (the set of all morphisms 1 — *A) 
For any morphism feC( A, B): 

y is the mapping from A n to B? given by composing with/ 
(that is r f(p) =fip for peC(l,A)) 

Note that r _ n is not faithful if C is not well-pointed (as defined in 4.2.5). Given 
f,geC(A,B), y and V are set-theoretical mappings and therefore, in order to have r / n =V' 
it is sufficient that f°p=g°p for any peC(l,A). The values of the functor r _ n : C — * Sets 
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over all the objects and morphisms of C give a subcategory of Sets that can be denoted 
with r C n . 

The category we are interested in is r Cl(F <: f. We will prove, as consequences of (Eq 
appl2), that it has finite products and coproducts. For this, however, it is convenient to 
introduce the category CL, equivalent to r Cl(F <: f, for which we can give a more explicit 
description. 

Remark 

h A type reads "A is a closed type" 

h a.A reads "a is a closed term of closed type A" 

Definition (cl-equality) 

For \-f,f':A^B, we say \-f** cl f':A^B iff 
for all a, h a: A \-f(a) <-> f'(a) : B 

The objects of r Cl(F <: f are, for any h A type, the sets of morphisms [z:Top h t.A]. By 
(Eg collapse) and congruence, [z:Top h t.A] = [z:Top h t/z^—topJ.A]. The term tfz^—topj is 
closed and z.Top h tfz^—topJ.-A iff h tfz^—topJ.A. Any object of r Cl(F <: j* is therefore 
isomorphic to the set of equivalence classes /I- a.A 7 of closed terms of a closed type; the 
equivalence relation is given by the equality judgments h a<-*a'.A. (Write h A type for 
such a set.) These sets are the objects of the category CL . 

The morphisms of r Cl(F <: f are, for any morphism / = [x:A h ?.\B/ of Cl(F <: ), the 
mappings from r A n to r 5 n given by r f{[z:Top h a.A/) = [z:Top h t{x<—a}:B] for any 
[z:Top h a.A/. By (3- and reconversion one obtains a category equivalent to r Cl(F <: j* by 
stipulating that a morphism of CL from h A type to h 5 type is an equivalence class of 
derivable term judgments: 

\-f:A->B 
where the morphism equivalence is 

0-f:A^B) = 0-f':A-^B) iff \-f<-> c{ f':A—>B. 
The identity judgment is 

id A = h AfxAjx : A^A 

and the composition judgment is, for any h h.A— *5 and hg.\B— *C: 

4 h %x:A)g(h(x)) : A^C 

(We also ambiguously use goh = AfxAj^f/ifxjj.) 

We remark that morphism equivalence is no? provable equality. For two morphisms h 
f.A— *B and h/ '.A— *5 to be equal it is sufficient that/and / ' agree on the closed terms of 
type A. Similarly, the following two definitions correspond to isomorphism and 
uniqueness (for morphisms) in CL. 
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Definition (cl-isomorphism) 

We say h A ~ d B iff there exist \-f:A^B, h g:B->A such that 
h go/ «^ c ' /J A ■' A—>A 
\-f og ^>clid B ;B^B 

Definition (cl-uniqueness) 

We say \- f:A— >B is the cl-unique/ satisfying P(f) iff 

for any other \-f':A—>B satisfying P(f ') we have \-f-*-^ cl f ' : A— 

In order to prove that CL has finite products and coproducts, we need some more 
lemmas in F <: , and especially the crucial consequence of (Eq appl2) expressed in the eq- 
var-substitution lemma, below. 

Lemma (Type monotonicity) 

Let E,X<:B h C <: D <: B and E,X<:B,E' h S type. Then 

(i) X positive in S E,X<:B,E' h S{X^CJ <: SfX^DJ 

(ii) X negative in 5 E,X<:B,E' h S(X^D} <: S{X^C} 
Proof 

By induction on the derivation E,X<:B,E'\- S type. The only less trivial 
case is (Type V). Assume X positive in V(Y<:S1)S2. By induction hypothesis: 

E,X<:B,E' V- S1(X^D} <: S1(X^C} 
From E,X<:B,E',Y<:S1 h S2 type, by bound change lemma: 

E,X<:B,E',Y<:S1{X^D} h S2 type 
Now conclude by induction and (Sub V). □ 

Definition (Pointed on X) 

Given a type variable X, a type S is pointed on X iff X is positive in 
S and 5= V(Y 1 <:B 1 ). . . V(Y k <:B k )Tj->(. . . ->(T h ->X). . . ) for k>0, h>0. 

Lemma (Generalized collapse) 

Let E,X<:Top h S type, with S pointed on X. 

Eh D type and E h s : SfX^DJ E,X<:Top,x:S h : SfX^TopJ 

Proof 

LetS=V(Y 1 <:B 1 )...V(Y k <:B k )T 1 ^(...^(T h ^X)...). 
By type monotonicity lemma, 

E,X<:Top h 5 <: S(X^TopJ and E,X<:Top h SfX^DJ <: S(X^TopJ. 
Let F=Y 1 <:B 1 {X^Top},...,Y k <:B k {X^Top}, tfTjfX^Top},.. .,t h :T h {X^Top} . 
By (Ta/xJ, weakening, and (Subsumption), 

E,X<:Top,x:S,F h x : S{X^TopJ 
by and (£4 app/;, 

E,X<:Top,x:S,F\-x(Y 1 )...(Y k )(t 1 )...(t h ) : Top 
Analogously, from £hs: S{X<—DJ we obtain: 

E,X<:Top,x:S,F h 5: SfX^TopJ 
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and then: 

E,X<:Top,x:S,Fh s(Y 1 )...(Y k )(t 1 )...(t h ) : Top 

By (Eq collapse), 

E,X<:Top,x:S,F\-x(Y 1 )...(Y k )(t 1 )...(t h ) ~ s(Yj)...(Y k )(tj)...(t h ) : Top 
By (Eqfun), (Eqfun2), (Eq eta) and (Eq eta.2), 
E,X<:Top,x:S h x ** 5 .- S{X^Topj. □ 

By generalized collapse and the eq-substitution property (section 2.4) we obtain the 
following lemma, which expresses a parametricity property: a (possibly open) term a of a 
closed type A is provably equal to any term obtained by substituting specific types and 
terms for its free variables. 

Lemma (Eq-var-substitution) 

Assume, for i=l..n, E',X<:Top h 5 ; - type and 5 ; - pointed on X. Let: 

E = E', X<:Top, xj: Sj, x n : S n . 
If h A type, E h a: A, E'\~D type and E'h f,-; SrfX^DJ for /=i..n, 
then £ h a «-» a{X<—D, Xj<—tj, x n <—t n } : A. 
Proof 

By generalized collapse lemma, , for i=l..n: 

E',X<:Top,Xi: S,- h ^ : SJX^Top}. 
The eq-substitution proposition (Sect. 2.4) allows us to conclude. □ 

4.2 CL finite products and coproducts; well-pointedness 

In this section we show that the equational theory of F < . is strong enough to entail 
some basic categorical properties of CL .. 

4.2.1 Terminal objects 
Proposition 

For any object h C type, there is a unique morphism h l c : C^Top. 
Proof 

Take 1q = A(x:C) top. 
Take any other morphism \-f: C^Top. 
x:C h / : C^Top (weaken) 

x:C\~f(x) *-» : Top (Eq collapse) 

h X(x:C)f[x) ** Mx:C) top : C^Top (Eqfun) 

\-f^ 1q ■' C^Top (Eqeta) 

A fortiori, \~f^ d l c : C^Top. □ 



Page 34 



4.2.2 Binary products 

Definition 

AxB = V(C) (A^B^C)^C 

Proposition 

For any pair of objects h A type, h 5 fype, the object h AxB ^ / 

fype is their categorical product. That is, there exist v , 

h Z/AxB^A, h r.AxB^B such that for any h C fyp<?, and for \ 4 

any h f:C—>A, h g:C—>B, there exists a unique (i.e. cl- y\ : ^ 

unique) h h. C^AxB such that h /°/z ^ c/ /: C^A and hro/i \ i 

«* cl g:C^B. C 

Define: 

px = l{x:A)l{y:B)x 
py = X(x:A)X(y:B)y 

I = l{p:AxB)p{A){px) then h LAxB^A 

r = X(p:AxB)p(B)(py) then h r:AxB—>B 

pair = Afa.AjA(Z7.-5jAfCjAf<?.A^5^CMaJf^ 

then h paz'r : A^5^AxB 
co M p/e ± MC)Mf:C^A)Mg:C^B)Mc:C)pair(f(c))(g(c)) 

then h cowpfe : fC^AJ^fC^5J^C^fAxgJ 

Fix an object h C type and two morphisms \- f:C— *A and h g.C— 

1) Existence. 

Take /* ± couple(C)(f)(g) ~ %c:C)pair(fi(c))(g(c)) 
h /°/* ^ A( Z :C)l(h(z)) Mz:C)f(z) f: C^A 
h roh ^ Mz:C)r(h(z)) Mz:C)g(z) ~ g : C^B 

2) The morphism above is well defined. Just show that: 

I - / ' +* cl f: C^A, V- g' g : C^B implies 

h couple(C)(f)(g) couple(C)(f ')(g') : C^AxB 

3) Uniqueness. 

3.1) Show, for h c.AxB, that h couple(AxB)(l)(r)(c) c : AxB 
The normal form of c must have the shape: 

c = X(C)A(q:D)q(a)(b) 
for some C<:Top h A^B^C<:D, C<:Top,q:D h a:A, and C<:Top,q:D h £.\B. 
By the bound weakening lemma, 

C<:Top,q:A^B^C h a:A, and C<:Top,q:A^B^C h fc.fi 
and by (E^n'), for c' = AfCJ%.A^5^CJ^aJf^, 
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h c^c' :AxB. 
By |3-conversion 

h 1(c) <-> c(A)(px) <-> a{C<— A,q<— pxj : A Let al = a{C<—A,q<—px} 

h rfcj c(B)(py) ^ b{C^B,q^pyj : B Let bl = a{C^B,q^pyj. 

By the eq-var-substitution lemma, 
C<:Top,q:A^B^C h a <-» ai ; A 
C<:Top,q:A^B^C Vb^bl : B 

C<:Top,q:A-*B-*C h <?fajf^j )(W ) : C (Eq-appl) 

h tyC)Mq:A-*B-*C)q(a)(b) %C)X(q:A^B^C)q(al)(bl) 
: AxB ( Eq fun, Eq fun2 ) 

Hence: 

h couple(AxB)(l)(r)(c) pair(l(c))(r(c)) 

MQMq:A—>B—>C)q(al)(bl) A(C)X(q:A^B^C)q(a)(b) 
«-> c' ** c : AxB 

3.2) Show, by (3-conversion, that for any h D type, h k:D—>C, and h d.\D, 
h couple(D)(fok)(gok)(d) (couple(C)(f)(g)ok)(d) : AxB 

That /z is cl-unique now follows by the usual argument. □ 

Corollary h A ~ d A ', h 5 ~ cl B' => h AxB ~ cl A'xB' 
Proof 

Standard diagram chasing, from the existence of products. □ 

4.2.3 Initial objects 

Definition 

Bot = V(X)X 

Proposition 

For any object h C type, there is a unique morphism h 0 C : Bot^C. 
Proof 

Take 0 C ^ Mx:Bot) x(C). 

Take any other morphism \-f: Bot—>C. 

Since there are no terms c such that h c : Bot, then it is vacuously 
true that for all h c : Bot, \-f(c) **0 c (c) : C, 
that is, that \~f^ cl 0 C : Bot^C. □ 

Remark 

Bool—>Bot is also an initial object, by the same argument, since there are no terms of 
type Bool^Bot. The unique map is the equivalence class of X(x: Bool^Bot) x(true)(C), 
which includes A(x: Bool^Bot) x(false)(C). More generally, any empty type V for which 
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there exists a term \-f:V—*Bot is initial. The canonical morphism is the equivalence class 
of X(x:V)f(x)(C), which is cl-unique since there are no closed terms h c:V. 



4.2.4 Binary coproducts 

Definition 

A+B^ V(C) (A^C)^(B^C)^C 

Proposition 

For any pair of objects h A type, h B type, the object h A+B 
type is their categorical coproduct. That is, there exist 
h i:A— »A-kB, h j:B— »A+5 such that for any h C fype, and for 
any h /A— *C, h g.\B— *C, there exists a unique (i.e. cl- 
unique) h /z.A+5^C such that \- hoi ** cl f : A^C and h /zoj 




Define: 

i = X(x:A )l{C)Mf:A^C)l{g:B^ C)f(x) then h z : A — » A+B 

j ± My:B)MQMf:A^C)Mg:B^ C)g(y) then \-j:B^A+B 

case = X(C)Mf:A^C)X(g:B^C)X(c:A+B)c(C)(f)(g) 

then h rase : \/(CJ (A^C)^(B^C)^(A+B)^C 

0) Let h c.A+5; then the normal form of c must have one of the shapes: 

c = MC)Mf':D)Mg':G)f'(a) 

for some C'<:Top hA^C <:D, C'<:Top \-B^C'<:G, and 

C'<:Top,f':D,g':G\-a:A 
c = MC')Mf':D)%g':G)g'(b) 

for some C'<:Top hA^C <:D, C'<:Top \-B^C'<:G, and 

C'<:Top,f':D,g':G\-b:B 
By the bound weakening lemma, 
C'<:Top,f ':A^C',g':B^C'\-a:A 
C'<:Top,f ':A^C',g':B^C'\-b:B 
and, by (Eqfun'), 

either hc^ MC')Mf ':A^C')Mg':B^ C')f '(a) ■ A+fl 
or hc^ A(C'M(/" '.A^C'jAte'.-fl^C'Js W ■ 

Fix an object h C type and two morphisms \- f:A— *C and h g.\B— »C. 

1) Existence 

Take /z ^ case(C)(f)(g). 

h hoi ^ %x:A)h(i(x)) ^ X(x:A)f(x) ^ f : A^C 
h hoj ^ X(x:A)h(j(x)) ^ X(x:A)g(x) ^ g : B^C 
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2) The morphism above is well defined. 

Show h/ " +*df: A^C, h g" **cl g:B->C implies 

h case(C)(f)(g) case(C)(f")(g") : A+B^C 
That is, for h c:A+B, 

h case(C)(f)(gXc) ** casefC^ "XgTO : C 
By (0) and |3-conversion, either 

h case(C)(f)(g)(c) **f(a{C^C,f '«-f,g'*-g}) : C and 

h cosefOa WW **/ "(a{C'^C,f '«-/ ",g'^g'7J : C 

or 

h case(C)(f)(gXc) ** g(b{C'^C,f '*-f,g'*-g}) : C and 
h cose(Q(f "Xg"W ** g"(b{C'^C,f '«-/ ",g'*-g'7J • C 

In the first case (the other one is similar), the eq-var-substitution lemma gives: 
C'<:Top,f ':A-*C',g':B-»C'\- a a{C*-CJ '*-f,g'*-g} : A and also 
C'<:Topf':A-^C,g':B—C'\- a ^ a{C'"-Cf'*-f",g'"-g"} : A 

from which we infer: 

h a{C'^C,f '«-/ ",g'-g'7 - afC'«-C/ '*-f,g'*-g} : A 

since both terms are closed. Now conclude by using h/ " '/ ': A— »C. 

3) Uniqueness. 

3.1) Show, for h c.A+fi, that h case(A+B)(i)(j)(c) ** c : A+B. 
By cases on the normal form of c, according to (0). 

In the first case, 

h case(A+B)(iXj)(c) — c(A+B)(i)(j) — i(a{C'*-A+BS'*-i,g'—j}) : A+B 
Let ai = a{C'<—A+B,f'<—i,g'<—j}. By the eq-var-substitution lemma, 
C'<:Top,f ':A-*C',g':B-*C \- al ** a : A 

C'<:Topf':A-»>C',g':B-»C'\-f'(al) **f'(a) : C (Eqappl) 
h l(C'M ':A->C')%g':B-* C')f '(al) 

MC')Mf ':A-*C)Mg':B—>C')f '(a) : A+B (Eg fun, E g fun2) 
\-i(al)**c:A+B (def) 

h case(A+B)(i)(j)(c) <-*■ c : A+B (equation above) 
The second case is similar. 

3.2) Show, for any h D type, h L C^D, and h c.A+fi, 
h case(D)(k°f)(kog)(c) — (k°case(C)(fXg))(c) : D. 

By cases on the normal form of c, according to (0). 
In the first case we have: 

h case(D)(kof)(kog)(c) — c(D)(kof)(k°g) 
~ k(f(a{C^D,f'^kof,g'^kog})) : D 

h (kocase(CXf)(g)Xc) ** k(f(a{C'^C,f'^f,g'^g})) : D 
From the eq-var-substitution lemma, 
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C'<:Top,f':A^C',g':B^C'\-a «~ a{C'«-Df '^k°f,g'^k°g} : A 
C'<:Top,f':A^C',g':B^C'\-a — a{C'^C,f'^f,g'^g} : A 
Conclude by transitivity and (Eq appl). 

The second case is similar. 

(4) Uniqueness can now be shown by the standard argument. □ 

Corollary \- A ~ cl A', h B ~ cl B' => h A+B ~ cl A'+B' 
Proof 

Standard diagram chasing, from the existence of coproducts. □ 

4.2.5 Well-pointedness 

A category C with a terminal object 1 is well-pointed iff for any pair of objects A and 
B and any f,geC(A,B) we have: 

f=g iff for any heC(l,A), fih = g°h. 

Proposition 

CL is well-pointed. 

That is, for any h A type, \~B type, and any \~f,g : A— we have: 

\- f ■^■ cl g : A—>B <=> for any h h : Top— >A, \~ f°h <^> cl goh : Top— *B 

Proof 

x:Top \~f(h(x)) <-* f(h(top)) : B (Eq collapse) and (Eq appl) 

x: Top h g(h(x)) <-> g(h(top)) : B similarly 

x:Top \-f(h(top)) «-» g(h(top)) : B hypothesis, weaken 

h X( x: Top ) f( h(x) ) <-» X( x: Top ) g(h( x) ) : Top —>B (Eq trans ) and (Eq fun ) 
Hence \~fih <-» goh : Top^B. 

Take ha:A, consider h=X(x:Top)a. 

h (foh )( top ) <-» ( goh)( top ) : B hypothesis 

h f(a) <-> g(a) : B (Eqbeta) 
Hence \~f^ cl g : A^B. □ 

4.3 CL isomorphisms 

The following isomorphisms were inspired by [BFSS 90] and [Fre 91]. 

4.3.1 Double negation 

We prove that, for any h A type we have A ~ V(C)(A— *CJ— *C. This is an iso- 
morphism holding in the models studied in [BFSS 90], but which has no known proof in F. 
(See the remark at the end of this section.) 
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Proposition 

V- A type \-A~ cl V(C)(A^C)^C 
Proof 

Define: / = l(x: V(C)(A^C)^C) x(A)(id(A)) 

g ± My:A)MQMz:A^C)z(y) 
Then: \-f: (V(C)(A-*C)-*C) -* A, and \- g: A —> (V(C)(A->C)->C) 
Take a such that h a.A. Then, by (3-conversion: 

^f(g(a)) +*MQ Mz:A^C) z(a)) 
^ (1(C) Mz:A^C) z(a))(A)(id(A)) 
*-> id(A)(a) «-» a : A 
Take closed b such that h & : V(C)(A->C)->C. 
Then £ has a normal form of the shape 

b = 1(C) A(z:D) z(al) 
for some C<:Top h A->C<:D and C<:Top,z:D h ai:A. 
By the bound weakening lemma, 

C<:Top,z:A->C\- al.A 
and hence 

hZ? ^ MQ Mz.A^C)z(al) 
Then 

I" g0TW #0 Af Z :A-Cj z(al{C^A, z^id(A)J) 
: V(C)(A^C)^C 
By the eq-var-substitution lemma, 

C<:Top, z:A->C h a7 ** al{C^A, z^id(A)} : A 
Hence, 

C<:Top, z.A^C h zfaij z(al{C^A, z^id(A)j) : C 
That is: 

h AfCJ Afz.A^C) zfaij — AfCJ Afz.A^C) zfaifC^A, z^id(A)J) 
: V(C)(A^C)^C 
Combining the two equations above: 

I" g(f(b)) ** HQ Mz.A^C) z(al) ^ b : V(C)(A^C)^C. □ 

Remark 

Christine Paulin-Mohring has shown that, even for A closed, A ~ V(C)(A—>C)—>C is 
not provable in F via the isomorphism we have used in the proof above. (It is not known 
whether some other isomorphism would work). To see this, let Tbe V(R)R^R; the term: 

%P) %x:(T-*T)-*P) 

x (l(y:T) y (P^T) (l(u:P)y) (x(l(v:T)v))) 
: V(P)((T^T)^P)^P 

is not convertible to any term of the form: 
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l(P) A(x:(T->T)->P) x(c) 

where c is a closed term of type T— >T. 

Moreover, Roberto Di Cosmo [DiC 91] has shown that A is not isomorphic to 
V(C)(A—>C)— *C in F in the usual sense of F-isomorphisms, as opposed to cl- 
isomorphisms. 

4.3.2 Existentials 

We prove in this section that the terminal type Top is isomorphic in CL to 3(X)X. 
From the programming point of view this is consistent with the intuition that, although 
any value can be encapsulated as an object of type 3(X)X, there is no way of using an 
object of this type. We will prove, more generally, that 3(X<:A)X ~ A (i.e. h 3(X<:A)X 
~ d A) 

Lemma 1 

EV- Btype, E\-y : V(X<:A)X^B, E\-A'<:A, E\- a' : A', E h a'<-^a : A 
Ehy(A)(a)^y(A')(a'):B 

Proof 

First, 

E I" y *-* y •' V(X<:A )X^B hypothesis, (Eq x) 

E h y(A) ^ y(A) : A^B (Eq appl2), since X£FV(B), by E h B type 
E h y(A)(a) «-» y(A)(a') : B hypothesis, (Eq appl) 
Then, 

E \~ y *-* y : V(X<:A)X^B hypothesis, (Eq x) 
E h y(A) <-> y(A ') : A'^B (Eq appll ) 
E h y(A)(a') y(A')(a') : B hypothesis, (Eq appl) 
Finally, 

E\-y(A)(a) ^ y(A')(a') : B. □ 
Definition 

Let id : V(A) V(W<:A) W^W = %A) A(W<:A) %w:W) w 
Definition 

3(W<:A)B ^ V(V)(V(W<:A)B^V)^V 

some : V(A) V(X<:A) X->3(W<:A)W 
= A(A) A(X<:A) A(x:X) 

MV) Mz: V(W<:A)W-^ V) z(X)(x) 

Proposition 

h A type hA ~ cl 3(X<:A)X 
Proof 

Leth/: (3(W<:A)W) — * A 
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where/ = X(p:3(W<:A)W)p(A)(id(A)) 
Lethg/A (3(W<:A)W) 

where g = X(x:A)some(A)(A)(x) 
Take a such that h a/A. Then 
\-f[g(a))** f(some(A)(A)(a)) 

^ f(MV)(Mz: V(W<:A)W->V)z(A)(a)) 

^ (MV)Mz:V(W<:A)W^V)z(A)(a)) (A) (id(A)) 

^ id(A)(A)(a) 

<-> a : A 

Take closed b such that h b : B(W<:A)W. 
Then b has a normal form of the shape: 

b = X(V)X(z:D)z(Bl)(bl) 
for some D, Bl, bl such that: 

V<:Top h V(W<:A)W->V <: D 

V<:Top,z:D h bl : Bl <: A 
By the bound weakening lemma, and (Eqfun 1 ) 

\-b^ A(V)A(z:V(W<:A)W^V)z(Bl)(bl) 
Then 

I" 8(f(b)) ** g(b(A)(id(A))) 

*-> g(id(A)(Bl{V^A})(bl{V^A,z^id(A)J) 
~ g(bl{V^A,z^id(A)J) 
^ some(A)(A)(bl{V^A,z^id(A)}) 
^ A(V)Mz:V(W<:A)W^V) z(A)(bl{V^A,z^id(A)J) 
: 3(W<:A)W 
By the eq-var-substitution lemma, since 

\-id(A): V(W<:A)W->W <: V(W<:A)W->A, 
V<:Top, z:V(W<:A)W^V\- bl ^ bl{V^A,z^id(A)J : A. 
Hence by Lemma 1, 

V<:Top, z:V(W<:A)W^V\-z(A)(bl{V^A,z^id(A)J) ^ z(Bl)(bl) : V 
That is: 

h k(V)Hz: V(W<:A)W^V) z(A)(bl{V^A,z^id(A)J) 

^ MV)Mz: V(W<:A)W-»V) z(Bl )(bl ) 
: 3(W<:A)W 
Combining the two equations above: 
^g(f(b)) — 

~ %V)%z:V(W<:A)W^V) z(Bl)(bl) 

<-> b 
: 3(W<:A)W. □ 

Corollary 

h Top ~ d 3(X)X 
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4.3.3 Other cl-isomorphisms 

Many other isomorphisms can be derived with the techniques developed in the 
previous sections. Among them we have the following. 

Domain restriction 

C ~ V(X)X->C 
A^C ~ V(X<:A)X-*C 

Categorical 

(AxB)xC ~ Ax(BxC) 
AxTop ~ TopxA ~ A 
(A+B)+C ~ A+(B+C) 
A+Bot ~ Bot +A ~ A 

Various 

Top-* A ~ A 
A—>Top ~ Top 
Top ~ V(C)C^C 
Bot —>A ~ Top 

A^ Bot ~ Bot for A nonempty 
V(X)(A->X) ~ A^V(X)X 



(by simple top collapse) 
(by simple top collapse) 
(by analyzing the normal forms) 
(by analyzing the normal forms) 
(by vacuous fig <-> cl id conditions 
since both types are empty) 
(B-ri suffices) 



Conclusions 

We study an extension of system F with subtyping and its equational theory. While 
the equational rules are not complete for PER models, the main inspirations for the most 
novel rules come from PER models and categorical notions of parametricity. Although 
our proof system is not a conservative extension of system F, we prove the conservativity 
of typing judgments with respect to F. We study some categorical properties of the theory 
when restricted to closed terms, including interesting categorical isomorphisms. These 
isomorphisms provide some confidence in the strength of the proof system. Additional 
evidence is given by a set of encodings; these include record operations and subtyping 
hierarchies that are related to features of object-oriented languages. 

One important area we have not studied is an adequate computation system. Ideally 
we would like to have a notion of reduction such that any two provably equal terms 
reduce to a common term. If possible, we would like reductions to terminate as well. A 
standard approach is to orient each equational axiom in one direction. The two equational 
rules that lead to immediate problems are (Eq collapse) and (Eq appl2); for these it is not 
obvious how to produce an oriented reduction rule. Furthermore, in order to capture 
equivalence, a set of oriented rules would have to be proved confluent. If we had a 
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computational characterization of equality, we would have decidability of the equational 
system; in its absence, decidability remains an open problem. 

The final form of the (Eg appl2) rule is still under investigation. Some recent insights 
[ACC 93] seem to suggest that (Eg appl2-+) should be taken instead. Specifically, formal 
systems considered in [BFSS 90] and [ACC 93] have the latter as a consequence, but not 
the former. The (Eg appl2) rule was adopted here because it is valid in PER and has a 
simpler syntactic form. 
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Appendix: System F 



Environments 

(Env 0) (Env x) 

EVA type x£dom(E) 
V 0 env V E,x:A env 

Types 



E V X(y:A)b(y) V : A^B 
(Eg beta) 

E,x:A V b <-* V : B E\- a a' : A 
E\- (X(x:A)b)(a) b'{x«-a'} : B 



(EnvX) 

V E env X£dom(E) 
V E,X env 



a': A 



EVl(Y)b(Y) ++b': V(X)B 

(Eq beta2) 

E,X\~b**b':B EVA type 
E V (l(X)b)(A) b'fX^AJ : B{X*-A} 
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(Type X) (Type ->) (Type V) 

\- E,X,E' env EVA type EV B type EX V B type 



EXE'VXtype EV A^B type EVV(X)Btype 



Values 



(Valx) (Valfun) (Val appl) 

VE,x:A,E'env E,x:AV b:B EV b : A — *5 EVa.A 



E,x:A,E' V x.A E V X(x:A )b : A-^B EV b(a ) : B 

(Val fun2 ) (Val appl2 ) 

EX V b:B EVb : V(X)B EVA type 



E V l(X)b : V(X)B EV b(A) : B(X^A } 

Equivalence 

( Eq symm ) (Eq trans) 

EV a <-> b : A EV a <-> b : A EV b <-> c : A 



EV b <-> a : A EV a «-» c : A 

(Eqx) (Eqfun) (Eq appl) 

EVx.A E,x:A V b<->b' : B E V b<->b' : A—>B EV a* 



EVx^x:A EV X{x:A)b <-*■ X{x:A)b' : A^B E V b(a) <-*■ b'(a') : B 

( Eq funl ) (Eq appl2) 

EX V b<->b' : B EV b^b' : V(X)B EVA type 

E V X(X)b ^ UX)b ' : V(X)B EV b(A) *-* b'(A) : BfX^AJ 

( Eq eta) (Eq eta2 ) 

EVb^b' :A^B y^dom(E) EV b ** V : V(X)B Y£ dom(E) 
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